Closed J0WI closed 6 years ago
This is something we'll have to take up with OSUOSL at some point. FWIW we do provide a GPG key that signs the packages.
GPG is fine to check plausibility, but https gives additional privacy, because others can't see exactly what you are downloading/searching for.
FWIW, one of the repository mirrors, https://hhvm.bauerj.eu/ (:innocent:) supports HTTPS.
This is in progress, waiting for CA approval.
Done for https://dl2.hhvm.com
When 3.23 is released, I'll change dl.hhvm.com to point at dl2.hhvm.com too (the certificate is valid for both)
If you decide to use this immediately, there's also a new GPG key for the apt repositories:
Let's encrypt the web!